Is it permissible to request an approval for an updated privacy policy together with a change of the terms and conditions and to deny access to a service in case of refusal?

According to the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes”. It should be a clear affirmative act in which you agree to the way the company or organization proposes to process your data. Consent can be given by ticking a box when visiting an internet website, or another statement or conduct, so long as it clearly indicates your intention to say “yes, I agree”.

Consent cannot be implied from your inactivity or a random action. The fact that you continue to use a given service or the fact that you closed the pop up informing you about GDPR does not mean that you gave consent. Only “clear affirmative actions ” can be interpreted as consent. For example, the fact that you typed your e-mail in the box requesting a newsletter can be interpreted as consent for data to be processed for this purpose.

Consent cannot be forced in any way (eg. by saying that without consent for processing data you cannot use a given service), nor can it be “hidden” in the general terms and conditions. It is not possible to agree to general terms and conditions AND to specific types of data processing with the same click. However, keep in mind that:

  1. Often companies do not have to ask for your consent, because they have other legal grounds to process your data (eg. data that is necessary to provide the service you want; data that is justified by their legitimate interest);
  2. It is okay to demand that you accept general terms and conditions of a given service (otherwise how can you use it?), as long as there is no hidden “consent clause” inside. Privacy policy (or similar, non-negotiable documents) can only refer to data that is required (necessary) if you want to use this service.

Leave a Reply